如何使用cherrypy内置ssl模块(Python 3)禁用SSL3和弱密码 [英] How to disable SSL3 and weak ciphers with cherrypy builtin ssl module (python 3)
问题描述
我已将Python 3的Cherrypy 3.8.0配置为使用SSL/TLS.但是,我想禁用SSL3以避免POODLE.我搜索了文档,但不确定如何实现.
I have configured Cherrypy 3.8.0 with Python 3 to use SSL/TLS. However, I want to disable SSL3 to avoid POODLE. I searched through the documentation but I am unsure on how to implement it.
我正在使用cherrypy/python内置的 ssl 模块,而不是在Python 3下无法使用的 pyOpenSSL .
I am using the cherrypy/python builtin ssl module, not pyOpenSSL which I am unable to use under Python 3.
推荐答案
要禁用SSL3,您应该自己设置 ssl_context 变量,而不是接受默认值.这是一个使用Python的内置 ssl 模块(代替内置的 cherrypy ssl模块)的示例.
To disable SSL3, you should set the ssl_context variable yourself rather than accepting the default. Here's an example using Python's built-in ssl module (in lieu of the built-in cherrypy ssl module).
import cherrypy
import ssl
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
ctx.options |= ssl.OP_NO_SSLv2
ctx.options |= ssl.OP_NO_SSLv3
cherrypy.config.update(server_config)
在这种情况下, SSL 来自 OpenSSL 模块.
where in this case, SSL is from the OpenSSL module.
值得注意的是,从Python 3.2.3开始, ssl 模块默认禁用某些弱密码.
It's worth noting that beginning in Python 3.2.3, the ssl module disables certain weak ciphers by default.
此外,您可以专门设置所需的所有密码
Furthermore, you can specifically set all the ciphers you want with
ciphers = {
'DHE-RSA-AE256-SHA',
...
'RC4-SHA'
}
ctx.set_ciphers(':'.join(ciphers))
如果您使用的是 web.wsgiserver 模块中的 CherryPyWSGIServer ,则可以使用
If you're using the CherryPyWSGIServer from the web.wsgiserver module, you would set the default ciphers with
CherryPyWSGIServer.ssl_adapter.context.set_cipher_list(':'.join(ciphers))
以下是详细说明上述内容的文档的一部分: http://docs.cherrypy.org/en/latest/pkg/cherrypy.wsgiserver.html#module-cherrypy.wsgiserver.ssl_builtin
Here is part of the documentation detailing the above: http://docs.cherrypy.org/en/latest/pkg/cherrypy.wsgiserver.html#module-cherrypy.wsgiserver.ssl_builtin
最后,您可能想看看以下一些来源(提出类似问题):
Lastly, here are some sources (asking similar questions) that you may want to look at:
